Methods of Malware Persistence: On OS X Mavericks
Methods of Malware Persistence: On OS X Mavericks
Methods of Malware Persistence: On OS X Mavericks
on OS X Mavericks
@patrickwardle
PATRICK WARDLE
Synack: director of R&D
AN OUTLINE
METHODS OF PERSISTENCE
getting code to run every time a
mac reboots/user logs in
OS X MALWARE
AUTORUNS, FOR OS X
BACKGROUND
and why you should care
percentage
10.5
3.5
'09
'10
'11
year
'12
'13
MALWARE ON OS X?
BUT MACS DONT GET MALWARERIGHT?
-> IT DOESNT GET PC VIRUSES. A MAC ISN'T SUSCEPTIBLE TO THE THOUSANDS OF VIRUSES
PLAGUING WINDOWS-BASED COMPUTERS. (APPLE.COM)
APPLES RESPONSE
APPLE HAS CLEARLY SHORED UP THEIR OS
-> AN ACKNOWLEDGMENT (OR CONFIRMATION?) OF AN OS X MALWARE PROBLEM
XProtect
OS Xs built-in anti-virus
product
Gatekeeper
Sandboxing
Signed Code
XPROTECT
XPROTECT IS APPLES ANTI-MALWARE SYSTEM
-> THE 90S CALLED, THEY WANT THEIR STATIC SIGNATURE-BASED A.V. PRODUCT BACK
detect
based
on
a
hash/filename?!
malware
hash
match
XProtects Signature File
DOESNT DETECT NEW/MODIFIED MALWARE
GATEKEEPER
GATEKEEPER VERIFIES DOWNLOADED SOFTWARE
-> UNVERIFIED BINARIES THAT HAVE BEEN DOWNLOADED MAY ALERT OR BE DENIED EXECUTION
quarantine
flag
explicitly
added
//attibutes
$
xattr
-l
~/Downloads/googlechrome.dmg
com.apple.quarantine:0001;534e3038;
Google
Chrome;
B8E3DA59-32F6-4580-8AB3...
quarantine attributes
DOES NOTHING TO PREVENT ADVANCED (EXPLOIT-BASED/DRIVE-BY) ATTACKS
APP SANDBOX
APPS EXECUTE WITHIN A SANDBOX
-> THIS ACTUALLY DOES A SOLID JOB OF PREVENTING APPS FROM ACCESSING EXTERNAL RESOURCES
sandbox
user data
user data
the app
system resources
the app
system resources
SIGNED APPS
THE OS (MACH-O) LOADER VERIFIES ALL SIGNATURES
->THIS ALLOWS APPS TO BE VERIFIED AND PREVENTS MALICIOUS MODIFICATIONS (INFECTIONS)
infecting safari
killed
by
the
loader!
Crashed
Thread:
0
!
reason
(un)SIGNED APPS
OK, BUT CAN SIGNED APPS REALLY BE PROTECTED?
-> THE CRYPTO SEEMS SOLIDBUT WHAT IF IT WASNT THERE ANYMORE?
code signature
unsign/infect
#
unsign.py
Safari.app/Contents/MacOS/Safari
Safari
code
signature
removed
$ open Safari.app/Contents/MacOS/Safari
:)
SIGNED KEXTS
STARTING ON OS X MAVERICKS, KEXTS MUST BE SIGNED
-> SIMILAR TO WINDOWS, THIS AIMS TO PREVENT UNAUTHORIZED CODE FROM BEING LOADED INTO RING-O
kernel-mode
user-mode
unsigned kext
(un)SIGNED KEXTS
BUT I REALLY WANT MY UNSIGNED KEXT TO LOAD!
-> LETS ABUSE A DESIGN FLAW (SEE: HTTP://REVERSE.PUT.AS/ FOR MORE DETAILS).
kextd_request.c
//check
signature
sigResult
=
checkKextSignature(theKext);
!
//invalid
signature?
if(sigResult
!=
0)
{
//error
msg
OSKextLogCFString(ERROR:
\
invalid
signature,
will
not
load);
!
//bail
goto
finish;
}
!
//load
kext
OSKextLoadWithOptions(theKext);
(un)SIGNED KEXTS
BUT I REALLY WANT MY UNSIGNED KEXT TO LOAD (AGAIN)!
-> IN-MEMORY PATCHING IS A PAIN, THERES GOTTA BE SIMPLER WAY
direct
load
==
bypasses
check
//profit
:)
#
kextstat
|
grep
-i
unsigned
378
0
0xffffff7f82877000
0x2000
0x2000
com.synack.unsigned
(1)
<4>
!
+
LOTS OF MACS
+
FEEBLE ANTI-MALWARE
PROTECTIONS
OS X MALWARE
LIMITED OS X MALWARE
ANALYSIS TOOLS
THE PROCESS
LETS DIVE IN!
-> THE BOOT [OR STARTUP] PROCESS IS A LONG AND ARDUOUS FLOW
Power On/Boot
Kernel
launchd
pre-OS execution
loginwindow
auth the user
JONATHAN LEVIN
MAC OS X AND IOS INTERNALS; TO THE APPLE'S CORE
POWER ON/BOOT
EARLY STARTUP
-> BOOTING: FROM POWER ON UNTIL THE CPU BEGINS EXECUTING THE KERNEL (OS X)
Boot.efi
Power On
OS X
BootROM
init hardware and
select the OS
KERNEL
init the OSs core
BOOTROM
BOOTROM; AKA FIRMWARE
->
COMPOSED OF THE P.O.S.T (POWER-ON SELF TEST) AND A E.F.I. (EXTENSIBLE FIRMWARE INTERFACE),
THE BOOTROM VERIFIES MEMORY, INITIALIZES SYSTEM HARDWARE, AND SELECTS THE OS PARTITION
BootROM version
verify memory
init hardware
select OS partition
BOOT.EFI
BOOT.EFI: LOAD UP THE KERNEL
-> ONCE THE BOOTROM IS FINISHED, CONTROL IS PASSED TO BOOT.EFI ON THE SELECTED PARTITION
# hexdump -C /System/Library/CoreServices/boot.efi
BOOTING OS X
BOOTING OS X: FROM THE KERNEL TO THE DESKTOP
-> KERNEL, LAUNCHD, AND FINALLY LOGGING IN
LoginWindow
auth the user
the Kernel
launchd
load daemons/agents
Users Session
DESKTOP, etc
//path
to
launchd
static
char
init_program_name[128]
=
"/sbin/launchd";
//kick
off
launchd
void
load_init_program(proc_t
p)
{
//copies
init_program_name
into
init_exec_args
...
!
//launch
it
execve(p,
&init_exec_args,
retval);
}
spawning launchd
LAUNCHD
LAUNCHD IS BASICALLY LINUXS INIT
-> AS THE FIRST PROGRAM TO LAUNCH, IT BOOTS THE USER COMPONENT OF THE SYSTEM, THEN MAINTAINS IT
#
ps
-p
1
!
LOGINWINDOW
LOGINWINOW; THE LOGIN GUI
-> AUTHENTICATES THE USER, SETS UP THE ENVIRONMENT, THEN MANAGES THE SESSION
METHODS of PERSISTENCE
where malware may live
LOW LEVEL
THE BOOT PROCESS AFFORDS SEVERAL OPPORTUNITIES
-> OFTEN HIGHLY COMPLEX, THOUGH VERY INSIDIOUS AND DIFFICULT TO DETECT
KERNEL EXTENSIONS
KERNEL EXTENSIONS ARE LOADED AUTOMATICALLY (RING-0)
-> AN IDEAL SPOT FOR ADVANCED OS X MALWARE TO PERSIST
also: /System/Library/Extensions
#
cp
-R
persist.kext
/Library/Extensions
!
#
kextcache
-system-prelinked-kernel
#
kextcache
-system-caches
installing a kext
LAUNCH DAEMONS/AGENTS
LAUNCH DAEMONS & AGENTS SIMILAR TO WINDOWS SERVICES
-> MALWARE WILL OFTEN ABUSE THESE TO GAIN AUTOMATIC REBOOT/LOGIN PERSISTENCE
daemons
agents
non interactive,
launched pre-login
/System/Library/LaunchDaemons
/Library/LaunchDaemons
interactive,
launched post-login
/System/Library/LaunchAgents
/Library/LaunchAgents
~/Library/LaunchAgents
LAUNCH DAEMONS/AGENTS
DAEMONS & AGENTS ARE REGISTERED VIA PROPERTY LISTS
-> THESE PLISTS INSTRUCT LAUNCHD HOW/WHEN TO LOAD THEM
description
auto launch
daemon/agent plist
binary image
CRON JOBS
CRON JOBS CAN USED TO AUTOMATICALLY PERFORM ACTIONS
-> MALWARE WRITERS COMING FROM LINUX BASED BACKGROUNDS LOVE THIS TECHNIQUE
$
crontab
/tmp/persistJob
!
$
crontab
-l
*
*
*
*
*
echo
"I'm
persisting"
LOGIN/LOGOUT HOOKS
LOGIN/LOGOUT HOOKS ARE DEPRECATED, BUT STILL WORK
-> ALLOW A SCRIPT TO BE AUTOMATICALLY EXECUTED AT LOGIN AND/OR LOGOUT
/private/var/root/Library/Preferences/com.apple.loginwindow.plist
login hook
script
LOGIN ITEMS
LOGIN ITEMS ARE THE LEGITIMATE WAY TO PERSIST
-> CAN BE VIEWED IN THE GUI; SYSTEM PREFERENCES -> USERS & GROUPS -> LOGIN ITEMS
~/Library/Preferences/com.apple.loginitems.plist
<dict>
<key>com.apple.LSSharedFileList.Binding</key>
<data>
ZG5pYgAAAAACAAAAAAAAAAAAAAAAAAAAAAAA...
</data>
<key>com.apple.LSSharedFileList.ItemIsHidden</key>
<true/>
<key>com.apple.loginitem.HideOnLaunch</key>
<true/>
<key>Name</key>
<string>iTunesHelper</string>
</dict>
STEP 1
COPY
THE APP TO PERSIST INTO:
<MAIN>.APP/CONTENTS/LIBRARY/LOGINITEMS/
STEP 2
IN THE MAIN APP, INVOKE SMLOGINITEMSETENABLED()
WITH THE IDENTIFIER OF THE APP TO PERSIST
/private/var/db/launchd.db/
->com.apple.launchd.peruser.501/overrides.plist
RE-OPENED APPS
ON LOGIN, ANY OPENED WINDOWS OR APPS WILL BE RESTORED
-> AN ATTACKER COULD POSSIBLY ABUSE THIS FUNCTIONALITY TO PERSIST MALWARE
~/Library/Preferences/ByHost/
->
com.apple.loginwindow.<hardware
UUID>.plist
<dict>
<key>TALAppsToRelaunchAtLogin</key>
<array>
<dict>
<key>BundleID</key>
<string>com.apple.terminal</string>
<key>Hide</key>
<false/>
<key>Path</key>
<string>/Applications/Utilities/Terminal.app</string>
</dict>
STARTUP ITEMS
#!/bin/sh
.
/etc/rc.common
StartService()
{
#anything
here
}
RunService "$1"
Persistent Script
in
either:
/System/Library/StartupItems
/Library/StartupItems
{
Description
=
"anything";
Provides
=
("<name>");
}
StartupParameters.plist
RC.COMMON
#
vim
/etc/rc.common
!
...
add
any
commands
(at
end)
modifying rc.common
LAUNCHD.CONF
LAUNCHD.CONF IS THE CONFIGURATION FILE FOR LAUNCHD
-> CAN BE ABUSED FOR PERSISTENCE, BY INJECTING COMMANDS TO BE EXECUTED BY LAUNCHCTL
launchd.conf
'bsexec' is a launchctl command that executes other commands perfect!
MACH-O INFECTION
BINARY INFECTION IS ONE OF THE OLDEST PERSISTENCE TECHNIQUES
-> MACH-O BINARIES CAN BE INFECTED IN A MYRIAD OF WAYS
entry point
mach-O structure
APPLICATION SPECIFIC
PERSISTENCE BY TARGETING APP SPECIFIC LOGIC/FRAMEWORKS
-> FOR EXAMPLE, PLUGINS OR EXTENSIONS ARE OFTEN ABUSED FOR PERSISTENCE
evil
plugin
(fG!)
safari
chrome
firefox
#include
<syslog.h>
!
constructor
iTunes
NO LONGER SUPPORTED
APPLE HAS FULLY DEPRECATED/ NOW PREVENTS SEVERAL METHODS
-> MALWARE WRITERS: TIME TO UPDATE YOUR CODE! ;)
couldnt
get
these
working
on
Mavericks
~/.MacOSX/environment.plist
/Library/Preferences/
com.apple.SystemLoginItems.plist
old skewl
loginwindow
AutoLaunchedApplicationDictionary
DYLD_INSERT_LIBRARIES (signed)
PERSISTENT MALWARE
careful now ;)
CALL ME
CALLME IS DISTRIBUTED VIA MALICIOUS WORD DOCUMENTS
-> TARGETED, IT PROVIDES THE ABILITY TO UPLOAD/DOWNLOAD FILES AS WELL AS EXECUTE
ARBITRARY COMMANDS
fs_usage
is
like
fileMon
#
fs_usage
-w
-filesystem
|
grep
OSX_CallMe
open
/library/LaunchDaemons/.dat035f.000
WrData[A]
/library/LaunchDaemons/.dat035f.000
rename
/library/LaunchDaemons/.dat035f.000
->
/library/LaunchDaemons/realPlayerUpdate.plist
$
ls
/Library/LaunchDaemons/real*
realPlayerUpdate.plist
malware
FLASHBACK
FLASHBACK EXPLOITS A JAVA BUG TO INFECT 1/2M+ MACS
-> INJECTS ADS INTO USERS HTTP/HTTPS STREAMS
$
less
~/Library/LaunchAgents/com.java.update.plist
<?xml
version="1.0"
encoding="UTF-8"?>
<dict>
<key>Label</key>
<string>com.java.update.plist</string>
<key>ProgramArguments</key>
<array>
<string>/Users/user/.jupdate</string>
</array>
<key>RunAtLoad</key>
<true/>
...
!
!
!
malwares binary
CRISIS
method name
[NSString
stringWithFormat:@"%@%@",
NSHomeDirectory(),
@"Library/LaunchAgents/com.apple.mdworker.plist"];
JANICAB
JANICAB IS SIGNED AND WRITTEN IN (COMPILED) PYTHON
-> ABUSING A RIGHT-TO-LEFT OVERRIDE (RLO) TRICK, IT COLLECTS AUDIO AND SCREENSHOTS
janicabs
installer.py
"""
add
to
crontab
"""
!
RLO trick
KITMOS
-[FileBackupAppDelegate
checkAutorun]
mov
dword
ptr
[esp+18h],
0
mov
dword
ptr
[esp+14h],
0
mov
[esp+10h],
ebx
mov
dword
ptr
[esp+0Ch],
0
mov
dword
ptr
[esp+8],
0
mov
[esp+4],
eax
;
_kLSSharedFileListItemLast_ptr
mov
[esp],
edi
;
_LSSharedFileListCreate
call
LSSharedFileListInsertItemURL
YONTOO
+[ExtensionsInstaller
installSafariExtension:]
"~/Library/Safari/Extensions/Extensions.plist"
+[ExtensionsInstaller
installFirefoxExtension:]
"~/Library/Application
Support/Mozilla/Extensions"
+[ExtensionsInstaller
installChromeExtension:]
"~/Library/Application
Support/Google/Chrome/External
Extensions"
RENEPO (OPENER)
RENEPO IS AN OLDER SAMPLE, THATS WRITTEN AS A SCRIPT
-> DISABLES SECURITY MECHANISMS, AND CAN DOWNLOAD/INSTALL OTHER
HACKER TOOLS (E.G. PASSWORD CRACKERS)
#
less
OSX_Renepo
scriptpath=`pwd`
scriptfolder=`basename
$scriptpath`
scriptname=`basename
$0`
!
mkdir
/System/Library/StartupItems/"${scriptname}"
cp
"${scriptpath}"/"${scriptname}"
/System/Library/StartupItems/"${scriptname}"/"${scriptname}"
!
...
MACPROTECTOR
MACPROTECTOR IS FAKE (ROGUE) AV PRODUCT
-> LEVERAGES SAFARIS OPEN "SAFE" FILES AFTER DOWNLOADING TO DOWNLOAD AND BEGIN EXECUTION
~/Library/Preferences/com.apple.loginitems.plist
<dict>
<key>Alias</key>
<data>
ZG5pYgAAAAACAAAAAAAAAAAAAAAAAAAAAAAA...
</data>
<key>Name</key>
<string>MacProtector</string>
</dict>
CLAPZOK
CLAPZOK IS A MULTI-PLATFORM VIRUS
-> INFECTS EXECUTABLE BINARIES BY INSERTING VIRAL CODE, THEN HIJACKING THE ENTRY POINT
from
http://reverse.put.as/
(fG!)
entry point LC
malware
scan
core engine
plugins
#init
results
results['launchAgents']
=
[]
if
plistData['RunAtLoad']:
results.append(file.File(plistData['ProgramArguments'][0]))
whos there?
[launchDaemons]
#
python
knockknock.py
-p
cronjob
Little
Snitch
Daemon
path:
/Library/Little
Snitch/Little
Snitch
Daemon.bundle
whos
there?
!
hash:
dfdda5c6da26a9c890fea7ec2681998e
!
[cronJobs]
realPlayerUpdate
*
*
*
*
*
python
~/.t/runner.pyc
path:
/Library/Application
Support/.realPlayerUpdate
hash:
544539ea546e88ff462814ba96afef1a
!
[launchAgents]
Little
Snitch
Agent
path:
/Library/Little
Snitch/Little
Snitch
Agent.app/Contents
hash:
1a4a575ba98acd455bbb0712abee8df7
SOME CONCLUSIONS
MACS ARE NOT THAT SECURE
QUESTIONS/ANSWERS
www.synack.com
patrick@synack.com
@patrickwardle
github.com/synack/knockknock